Auth Intro / Terms

bcrypt - The library we will be using for hashing, salting, and decrypting passwords is the bcrypt library. The library is based on the blowfish cipher, a widely recognized algorithm for secure one way hashing.

one-way encryption - With one-way encryption, also called hashing, encrypted information is not meant to be decrypted. This is quite common when thinking about passwords. Ideally the only person who should be aware of their password is the person who created it, as this is much more secure. As you'll see, we'll be hashing passwords and storing the hashes in a database. When a user then attempts to log in, we can hash the password they provide and see if there is a match between hashes. This allows us to authenticate a user without knowing what their password is. While this is a good start, hashing alone is not secure as it opens yourself up to dictionary attacks.

dictionary attack - A dictionary attack occurs when a hacker takes all possible combinations of characters and runs it through a hashing algorithm. Once they have found a hash that matches yours, they can look up the text in the dictionary they have built and voila - you are hacked!

salting - In order to prevent dictionary attacks, we add a randomized string of characters to the password (the salt) and then hash the entire password. This prevents someone from successfully creating a dictionary.

two-way encryption - In contrast with one way encryption, two-way encryption is meant to be decrypted, often with some sort of key that the parties can use for decryption. This is very common when establishing a secure connection between another party (SSH keys on GitHub).

Auth with bcrypt

To get started with bcrypt, let's first mkdir learn-bcrypt && cd learn-bcrypt and then install the module using npm install bcrypt. Instead of building a new express app, let's start by playing around in a node console, or create a file and add the following:

Let's step through this code a bit. First, bcrypt.hash will hash our password. We include a number (saltRounds), which you can roughly think of as measuring how many steps are involved in creating the hash. (Try changing 10 to 16, and see how much longer it takes to run the above code!)

Once the password is hashed, it is logged to the console. You should see something like this:

The prefix just indicates that bcrypt was used to generate the string. The salt is a random string that is then combined with the password to generate the hashed password. In particular, the hash that we get from bcrypt includes the salt in it! This is what allows us to check passwords when users attempt to log in later: the combination of salt, work factor, and password uniquely determines the hash.

You should see match true get logged to the console, since we're checking the string 'secret' against the hash corresponding to that string. But if you try comparing hash to any other string, you should see that the console outputs match false instead.

Adding Auth to our applications

Now that we have a good idea of how to hash passwords, let's build a small API that allows for a user to send a username (which will be unique) and password (which will be required) to our Express server. We will then take that plain text password and hash it to store it in the database.

Logging in

So far we have a good start on the app, but once a user has logged in we need some way of remembering who they are and that they've logged in! In the next section we'll introduce a technology called JSON Web Tokens or JWTs, which is what we will send back from the server to mark a user as logged in.